Forensic job summary as an XML report
Doing a forensic recovery, there will often be several processes. This often includes a disk image, and then may be recovery in two different ways. The Forensic XML report will correlate all these details and produce a simple report of all key actions carried out. Being in XML, it may be opened in Microsoft Word, and used as the basis of a special report on a recovery job.
The option is started from the drop down menu Tools, then select XML Forensic report
The current options allow for the main job name - as entered on the CnW Welcome screen, and then the ability to select the jobs numbers to be included in the main report.
The report starts with a simple job summary, and then has sections giving details of each job. A very useful section shows the relationship between file name extensions and signatures. This can highlight files that have been renamed in an attempt to hide them. There is section where deleted files are found and which files have overwritten them is listed.
The next stage gives a summary of the numbers of files that were created, modified etc within a month. There is a summary of existing files and deleted files. This gives a very brief snap shot of disk how the disk has been used.
This is an area of development for CnW, so any feedback, or extra features will be appreciated. Anticipated features may include
● Analysis of date distribution of files, modified, acceded and created
● Full details of the physical drive
● Full details of partitions
● Full details of key files, such as $MFT
● Which files have overwritten deleted files
Another future development will be a complete report of an individual file. This will include location of all the sectors, and full details of the directory information, including all dates. For a deleted file, that has been overwritten, details of files that overwrote, and associated dates of these files.